Open Source Computer Security Incident Response Team

The oCERT project was started in March 2008 and concluded in August 2017.


The oCERT was a public effort to provide security vulnerability mediation for the open source community, maintaining reliable security contacts between registered projects and reporters that needed to get in touch with a specific project regarding infrastructure security issues or projects vulnerabilities.

The project was announced at the CanSecWest conference in March 2008, many years before bug bounties or efforts like Google Project Zero were introduced. The oCERT effort was very much ahead of its times.

The idea spawned from the quite obvious need for coordinated vulnerability investigation and disclosure among open source projects, particularly with multiple libraries statically included by a vast number of software.

To this end Andrea Barisani and Daniele Bianco from Inverse Path along with Will Drewry and Tavis Ormandy from Google, decided to create oCERT. The team was assisted by an advisory board with Solar Designer and Dragos Ruiu as members.

The project contributed 61 advisories covering vulnerabilities ranging from single project bugs, to critical findings affecting core libraries and numerous projects sharing their code, up to entirely new classes of vulnerabilities affecting multiple programming languages.

The oCERT project was sponsored by Inverse Path and Google with hosting kindly provided by the OSU Open Source Lab.

oCERT was authorized to use the CERT mark by Carnegie Mellon University's Software Engineering Institute; however, oCERT has never been otherwise affiliated or endorsed by Carnegie Mellon University or its CERT Coordination Center.

Advisory archive

All published advisories are archived here.

Disclosure policy